On 2023-05-23 13:31:29 +0100 (+0100), Sean Mooney wrote:
On Tue, 2023-05-23 at 13:19 +0100, wodel youchi wrote:
Does Openstack have the notion of tenant admin?
no it does not.
there is global admin or you can use member.
If not, can a role be created to simulate such notion?
not really
you could use custom policy to simulate it but the real qustion you have to ask/answer is what woudl a teant admin be able to do that a project member cant. [...]
Developers have been working recently on adding a read-only "reader" role to their respective services as an initial phase of the Consistent and Secure Default RBAC goal[*], so you might think of it as people who need to be able to make changes to project resources (project members) are conceptually akin to your tenant admin idea while people who only need to be able to look at status and settings for project resources (project readers) are limited to just those capabilities and cannot make changes. In phase 3, the plan (as it stands now) is to add a project "manager" role which will gain exclusive control of lower level resource API methods, further limiting the current project member role. [*] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rba... -- Jeremy Stanley